I have a mixed Linux/Windows software development environment where the Linux clients are migrating to a system where they are able to authenticate against Active Directory. (That part I figured out)

Our lab is currently using CVS to conduct version control on our source code. In the migration, we will need users to be able to authenticate to our CVS server. I have it planned such that when the migration occurs, we will set up the CVS server to also authenticate users against AD.

Unfortunately, I do not have a lot of experience with CVS. Is this task even possible? From what I understand, it can be set up to authenticate users based on the local users on the system. However, since the actual users won't have their credentials stored locally on the server (as it's pulling them from AD), is it possible to point CVS to rely upon pam for authentication?

I have read about accessing CVS over SSH with user credentials. Would that be a requirement for this to occur? If so, how does one set this up?

2 Answers
2

This is going to be rather long, but let's do it anyway. First of all, yes this can be done. I can't supply much in the way of configuring CVS, but I can provide all you need to make a linux server authenticate users against Active Directory.
It all starts with /etc/nsswitch.conf. Here is the relevant section:passwd: files ldap compatshadow: files ldap compatgroup: files ldap compat

Now, depending on what distro you are using, you will need to install some ldap packages. Under Redhat/Fedora/CentOS this would be nss_ldap, under Debian/Ubuntu and the likes, you will need libnss-ldap and libpam-ldap. I would also recommend some ldap-utils for debugging.

With the above your name services will attempt to use LDAP, so now you need to configure the various LDAP packages to use your AD server. The search base should be base cn=Users,dc=aminocom,dc=com and the bind DN should be binddn cn=LDAPsearch,cn=Users,dc=aminocom,dc=com. You will need to define a specific User to allow browsing of the AD. We have created a user named LDAPSearch, and put its credentials into a separate file named .secret. Read the documentation of these packages for more detail. Furthermore I would recommend a soft bind policy and the following attribute mappings:

All of this assumes that you have the Windows Services for Unix installed on your domain controller. In AD you will need to configure a primary Unix group (in our case called nixUsers) and add every CVS user into that group.
You should probably be able to use AD directly (i.e. without the Windows Services for Unix), but that will require different attribute mappings. You might have to experiment a bit there.

Now we get to the PAM configuration. Under Debian there are basically 4 files that need modifications:

Under Redhat (and derivatives) all the necessary changes should go into the relevant sections in /etc/pam.d/system-auth and /etc/pam.d/system-auth-ac.

The above will allow users to log in with AD credentials. However, this does NOT automatically create a home directory for them (unless you do some more scripting around that) and it does not allow them to change their passwords through linux. This can be done, too, but it requires modification of their workstations (if they use Linux). Any more questions re the above, just ask.